USN-1355-2: Mozvoikko update

Ubuntu Security Notice USN-1355-2

mozvoikko update

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.10

Ubuntu 11.04

Ubuntu 10.10

Ubuntu 10.04 LTS

Summary

This update provides compatible Mozvoikko packages for the latest Firefox.

Software description

mozvoikko
- Finnish spell-checker extension for Firefox

Details

USN-1355-1 fixed vulnerabilities in Firefox. This update provides anupdated Mozvoikko package for use with the latest Firefox.

Original advisory details:

It was discovered that if a user chose to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users. (CVE-2012-0450)

Nicolas Gregoire and Aki Helin discovered that when processing a malformed embedded XSLT stylesheet, Firefox can crash due to memory corruption. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0449)

It was discovered that memory corruption could occur during the decoding of Ogg Vorbis files. If the user were tricked into opening a specially crafted file, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0444)

Tim Abraldes discovered that when encoding certain images types the resulting data was always a fixed size. There is the possibility of sensitive data from uninitialized memory being appended to these images. (CVE-2012-0447)

It was discovered that Firefox did not properly perform XPConnect security checks. An attacker could exploit this to conduct cross-site scripting (XSS) attacks through web pages and Firefox extensions. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-0446)

It was discovered that Firefox did not properly handle node removal in the DOM. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2011-3659)

Alex Dvorov discovered that Firefox did not properly handle sub-frames in form submissions. An attacker could exploit this to conduct phishing attacks using HTML5 frames. (CVE-2012-0445)